6 Replies Latest reply: Jun 12, 2014 5:40 PM by rmetzger RSS

    API to call McAfee Scan Engine


      Hi ,


      I am new to this forum .

      Please redirect me to right forum if i am landed on different discussion


      My query is as follows


      We have many enterprise application where user upload files on server


      Some of application uses FTP to upload file some uses JAVA method some uses PHP method and some uses standard HTTP/HTTPS method to upload files.


      Whenever files are uploaded we want to scan the files for any infection.


      Our setup is hosted outside so we can not use web AV gateway where by files can be scanned by WEB AV server.


      We need to rely on native AV installed on server.


      Is there any API calls from McAfee where we can use in various application like JAVA, PHP, ASP.net or Command line for FTP ?


      Thanks and Regards ,



        • 1. Re: API to call McAfee Scan Engine

          In what Enterprise product do you want to do this?

          • 2. Re: API to call McAfee Scan Engine

            I've moved this question from (Consumer) VirusScan to (Business) VirusScan Enterprise for attention.


            If it belongs elsewhere can a Business section Moderator please move it to the correct location?

            • 3. Re: API to call McAfee Scan Engine

              Hi Jeetu_Chaudhari,


              Welcome to these forums!


              If you are already running VSE v8.8 on the server, unless you are specifically excluding the upload directory, the On-Access Scanner (OAS) should already be checking the files uploaded. Running the Stinger or the Command Line Scanner (CLS), is a duplicate scan, which I would assume have limited value. I guess you could be checking the uploaded files using a different scanning rules than the OAS rules.


              If running VSE, Make Sure: 'Scan on Read' is checked in addition to 'Scan on Write' as many newer forms of malware can avoid detection if only scanning on Writes to disk.


              If you are using a differenet real-time active AV package, and you are using the command line process as a second check, be careful to avoid deadlocks between the two packages. (Upon upload, any real-time scan by whatever AV package may lock files during it's scan, which if the file is then checked by CLS or Stinger, can cause a deadlock. This would be bad, particularly on a server.)


              Secondary scans of files uploaded can also be done by calling Scan32.exe as well. This should eliminate potential deadlocks but limit Exit ErrorLevel codes to tell what happened on any given file. See the Best Practices Guide to VirusScan Enterprise for more details.


              Hopefully this is helpful.


              Ron Metzger

              • 4. Re: API to call McAfee Scan Engine

                Hi Guys ,


                Thanks for all your help


                Good direction by Ron Metzger


                I am looking for VirusScan Enterprise


                I have just overviewed Best Practices Guide to VirusScan Enterprise


                I read that both option of When writing to disk and When reading from disk are enabled default.


                But ,

                Even though i have enabled On-Access Scanner (OAS) on uploaded directory

                Just wanted to know as security measure is it sufficient ?


                If this was case why many organisation like Yahoo , Google do on uplaod scan of email attachments ?


                Thanks and Regards ,

                Jeetu Chaudhari

                • 5. Re: API to call McAfee Scan Engine

                  There is a test EICAR (or something like that) 'virus' that McAfee should detect. You could try uploading that through various FTP methods and see if the server properly detects it.

                  • 6. Re: API to call McAfee Scan Engine

                    Hi Jeetu,


                    Andy Ross is correct in testing using EICAR as a safe, effective way to ensure your Real-time scanner is working.


                    To make the test EICAR file for yourself:

                    1) Turn OFF any Real-Time scanner. In VSE this would be the On-Access Scanner.


                    2) Copy and paste the next line into a file, suchas EICAR.TXT



                    Note: The EICAR file is an Industry-wide and accepted file that is used for this purpose that is Safe and NOT a real Virus.


                    3) copy /b EICAR.TXT EICAR.EXE


                    4) Create a .Zip file (using your favorite archiver program) copying EICAR.TXT and EICAR.EXE to an archive, suchas: EICAR.ZIP


                    5) Repeat the .zip file creation again, but password protect the archive with a password which you will remember, suchas: EICAR-PW.ZIP


                    6) Copy these files to a USB Flash Drive (or other simple to isolate drive store). Make as many copies of this group of files as you think you might need, on isolated storage, as successful 'tests' will delete files upon detection.


                    7) Finally, re-enable your Real-time AV scanner.


                    Now, you should have several files inwhich you can test the real-time scanners ability to catch EICAR.


                    FTP it, or copy it, etc. to whatever Upload directory you have. Test away.


                    This would be a good time to see if files get locked by one scanner or the other, and what happens when the second scan attempts to do it's thing.


                    Also, note how the copy of the password protected archive will most likely not get detected.


                    This is by no means an exhaustive test, but should highlight problems in detection and cleanup when things are 'working normally.'


                    Have fun.

                    Ron Metzger